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7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 
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DETAILED ACTION 



1 . This action is in response to the Appeal Brief filed on August 16, 2005. Claims 1 
- 21 were originally received for consideration. Therefore, presently pending claims are 
1 -21. 



Response to Arguments 

2. In view of the Appeal Brief filed on August 16, 2005, PROSECUTION IS 
HEREBY REOPENED. A new ground of rejection is set forth below. 

To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply 
under 37 CFR 1.113 (if this Office action is final); or, 

(2) request reinstatement of the appeal. 

If reinstatement of the appeal is requested, such request must be accompanied 
by a supplemental appeal brief, but no new amendments, affidavits (37 CFR 1.130, 
1 . 1 31 or 1 . 1 32) or other evidence are permitted. See 37 CFR 1 . 1 93(b)(2). 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1 - 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Farley et al. (Publication Number: 2002/0078381), in view of Burrows et al. (Publication 
Number: 2002/0073338). 

As per claim 1, 8 and 15, Farley teaches a method in a data processing system 
for reporting security situations, comprising the steps of: 

logging events by storing event attributes as an event set, wherein each event 
set includes a source attribute, a target attribute and an event category attribute (Farley, 
see example, Para [001 9] Line 1 - 3 and Para [001 9] Line 12-17: SRC / DEST / 
EVENT TYPE as the event attribute parameters); 

Farley teaches classifying and correlating the raw events (Farley, Para [0019] 
Line 1 - 3). However, Farley does not disclose expressly classifying events as groups 
by aggregating events with at least one attribute within the event set as an identical 
value. 
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Burrows teaches classifying events as groups by aggregating events with at least 
one attribute within the event set as an identical value (Burrows, see example, Para 
[0050] and Para [0046] Line 10-11: Burrows teaches aggregating the correlated raw 
events into event groups with at least one attribute within the event set as an identical 
value such as (a) same SRC address (Para [0050)]), or (b) same DEST address (Para 
[0046] Line 10 - 1 1) to detect broadcasting traffic storm and server attacked network 
problems respectively). 

calculating severity levels for the groups (Burrows: Para [0050] Line 3-9: the 
"broadcast storm" is qualified to meet the severity level as an event caused by the 
identical SRC and different DEST when the aggregating events exceed the 
predetermined number (i.e., threshold) as taught by Burrows). 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value (Burrows: Para [0050] Line 3 - 9 and Para [0018] Line 
14-17: instructing the switches to discard packets or disable the forwarding SRC port 
accordingly, as an appropriate action of the problem reports). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Burrows within the system of Farley 
because (a) Farley teaches classifying and correlating raw events by providing a 
security management system in a networked computer system (Farley, Para [0019] Line 
1 - 3 and Para [0016]) and (b) Burrows teaches improving network throughput 
performance by recognizing undesirable packet traffic patterns after aggregating the 
correlated raw events into event groups such as broadcasting traffic storm and server 
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attacked group events (Burrows, see example, Para [0050] and Para [0046] Line 10 - 
11). 

As per claim 2, 9 and 16, Farley as modified further teaches the severity levels 
are calculated based on at least one of the number of event sets within each of the 
groups, the source attribute of the event sets within each of the groups, the target 
attribute of the event sets within each of the groups, and the event category attribute of 
the event sets within each of the groups (Burrows, see example, Para [0050] and Para 
[0046] Line 10-11: Burrows teaches aggregating the correlated raw events into event 
groups with at least one attribute within the event set as an identical value such as 
same SRC address (Para [0050)]), or (b) same DEST address (Para [0046] Line 10 - 
11) to detect broadcasting traffic storm and server attacked network problems 
respectively). 

As per claim 3, 10 and 17, Farley as modified further teaches the events include 
at least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation 
(Farley: Para [0016] Line 1-10). 

As per claim 4, 1 1 and 18, Farley as modified further teaches calculating the 
threshold value based on at least one of the source attribute of the event sets within the 
group, the target attribute of the event sets within the group, the event category attribute 
in each event set of the group, and the number of attributes in each event set of the 
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group that are held constant across all of the event sets in the group (Burrows: Para 
[0050] Line 3-9: the "broadcast storm" is qualified to meet the severity level as an 
event caused by the identical SRC and different DEST when the aggregating events 
exceed the predetermined number (i.e., threshold) as taught by Burrows). 

As per claim 5, 12 and 19, Farley as modified further teaches the target attribute 
represents one of a computer and a collection of computers (Farley, see example, Para 
[001 9] Line 1 - 3 and Para [001 9] Line 1 2 - 1 7: SRC / DEST / EVENT TYPE as the 
event attribute parameters). 

As per claim 6, 13 and 20, Farley as modified further teaches further teaches the 
source attribute represents one of a computer and a collection of computers (Farley, 
see example, Para [0019] Line 1 - 3 and Para [0019] Line 12-17: SRC / DEST / 
EVENT TYPE as the event attribute parameters). 

As per claim 7, 14 and 21, Farley as modified further teaches aggregating a 
subset of the groups into a combined group (Farley, see example, Para [0079] and 
[0080]; Burrows, see example, Para [0050] and Para [0046] Line 10-11). 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788. 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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